When you send an external sharing link from OneDrive for Business to a client, the client clicks the link and sees an “Access Denied” or “You don’t have permission” error. This happens even though you intended the link to grant view or edit access. The cause is almost always a mismatch between the link sharing settings, the recipient’s authentication method, or tenant-level external sharing policies. This article explains why these access denied errors occur and provides step-by-step fixes you can apply before resending the link.
Key Takeaways: Fixing OneDrive External Sharing Links That Show Access Denied
- OneDrive sharing dialog > Link settings > Specific people: If the link type is set to “Specific people” and the client is not a guest in your tenant, the client will always see access denied.
- Microsoft 365 admin center > Settings > Org settings > Sharing > External sharing: Controls the tenant-wide policy that allows or blocks sharing with people outside your organization.
- Azure AD > External Identities > External collaboration settings: Determines whether guest users can self-sign-up or require an admin invitation to access shared content.
Why OneDrive External Sharing Links Return Access Denied
OneDrive for Business external sharing links rely on three layers of permission: the link type you choose in the sharing dialog, the tenant-wide sharing policy set by your IT admin, and the recipient’s authentication status in Azure Active Directory. If any of these layers blocks the request, the client sees access denied.
The most common root cause is selecting the “Specific people” link type. This option creates a link that only works for recipients who already have a guest account in your Microsoft 365 tenant. If the client is not a guest, the link fails immediately. The second most common cause is the tenant-level policy that restricts external sharing to authenticated users only. When this policy is enabled, the client must sign in with a Microsoft account or work account. If the client does not have one, or if their account is not from a trusted domain, access is denied.
A third cause involves the sharing link expiration and password settings. If you set a link to expire after a short period or protected it with a password, the client may not meet the conditions and receives a generic access denied error instead of a clear password prompt.
Steps to Diagnose and Fix Access Denied on External Sharing Links
Before resending the link, verify the link type and tenant policies. Follow these steps in order.
- Check the link type you created
Open the file or folder in OneDrive on the web. Click the Share button. In the sharing dialog, look at the link type shown below the file name. If it says “Specific people,” change it to “Anyone with the link” for client projects. Click the gear icon next to the link type, select “Anyone with the link,” choose view or edit permissions, and click Apply. Copy the new link and send it to the client. - Verify the tenant external sharing policy
Sign in to the Microsoft 365 admin center at admin.microsoft.com. Go to Settings > Org settings > Sharing. Under External sharing, look for the OneDrive section. The setting must be set to “Allow sharing to authenticated external users” or “Allow sharing to anyone.” If it is set to “Only people in your organization,” external sharing is blocked. Contact your IT admin to change this policy. - Check the sharing link expiration and password settings
In the OneDrive sharing dialog, click the gear icon next to the link type. Look for the expiration date field. If a date is set and has passed, the link is expired. Remove the expiration or set a future date. If a password is required, share the password with the client through a separate communication channel. After making changes, click Apply and copy the updated link. - Test the link in a private browser window
Open a private or incognito browser window. Paste the link you copied. If the client is not signed into any Microsoft account, the page should prompt them to sign in or show the file directly if the link type is “Anyone with the link.” If you see access denied, the issue is still with the link type or tenant policy. Recheck the link type in step 1. - Add the client as a guest user if needed
If you must use the “Specific people” link type for security reasons, add the client as a guest user in Azure AD. Go to the Microsoft 365 admin center at admin.microsoft.com. Under Users > Guest users, click Add guest user. Enter the client’s email address. Enter a display name. Click Send invite. The client receives an invitation email. After the client accepts the invitation and activates their guest account, the “Specific people” link will work. - Verify Azure AD external collaboration settings
Sign in to the Azure portal at portal.azure.com. Go to Azure Active Directory > External Identities > External collaboration settings. Ensure that “Guest invite settings” is set to “Anyone in the organization can invite guest users including guests and non-admins” or a less restrictive option. If it is set to “Only users assigned to specific admin roles can invite guest users,” only those admins can send invitations. If you are not an admin, request that an admin add the client as a guest.
If the Client Still Sees Access Denied After These Fixes
The client is trying to access the link from a blocked domain or IP range
Some organizations configure conditional access policies in Azure AD that block access from specific geographic regions or IP ranges. If the client’s IP address falls within a blocked range, they will see access denied even if the link is correct. The client can try accessing the link from a different network, such as a personal hotspot. If that resolves the issue, the client’s corporate network may be blocked. Contact your IT admin to review conditional access policies.
The link works for you but fails for the client
This usually indicates a browser cache or cookie issue on the client side. Ask the client to clear their browser cache and cookies, then try the link again. Alternatively, the client can try a different browser or a private browsing window. If the issue persists, the link type is likely “Specific people” and the client has not been added as a guest. Repeat the guest invitation process in step 5 above.
The file or folder was moved or deleted after the link was created
If you move the file or folder to a different location within OneDrive, the existing link continues to work. However, if you delete the file or folder, the link becomes invalid and shows access denied. Check the OneDrive recycle bin. If the file is in the recycle bin, restore it. The link will work again. If the file is permanently deleted, create a new sharing link for the replacement file.
External Sharing Link Types: Comparison of Access Levels
| Item | Anyone with the link | Specific people |
|---|---|---|
| Authentication required | No sign-in required | Recipient must be a guest in your tenant |
| Best for client projects | Yes, quick access without account setup | No, unless the client is already a guest |
| Security risk | Anyone who obtains the link can access the file | Only invited guests can access |
| Expiration and password support | Yes, both can be set | Yes, both can be set |
| File preview without download | Yes, in the browser | Yes, in the browser |
For client projects, the “Anyone with the link” type is the most practical option. It removes authentication barriers and reduces support calls about access denied errors. If your organization requires tighter security, use the “Specific people” link type and add the client as a guest before sending the link.
You can now diagnose and resolve access denied errors on OneDrive external sharing links by checking the link type, tenant policy, expiration settings, and guest invitation status. For your next client project, use the “Anyone with the link” type to avoid authentication issues. If security policies force you to use “Specific people,” automate the guest invitation process by creating a shared mailbox for client invites. This reduces the manual steps each time you share a file.